homepage Welcome to WebmasterWorld Guest from 54.167.144.4
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / WebmasterWorld / Ecommerce
Forum Library, Charter, Moderators: buckworks

Ecommerce Forum

    
Need good Pay pal link protection
that can be used right on my desktop.
Kea777




msg:688590
 6:37 pm on Dec 11, 2003 (gmt 0)

Hi I need to find a good (hopefully not expensive) program that will encrypt my Pay Pal links so that internet scumballs will not steal my stuff.

Anyone know of an EASY p[rogram that will encrypt a html pay pal link right on my desktop? Will that be secure?

Or have some other secure payment suggestions?

Thanks for any help!
Kea

 

pbreit




msg:688591
 8:00 pm on Dec 11, 2003 (gmt 0)

There are a few listed here: http://www.paypal.com/cgi-bin/webscr?cmd=p/pdn/3p-solutions-digital-goods-outside

[edited by: DaveAtIFG at 9:40 pm (utc) on Dec. 11, 2003]
[edit reason] DeLinked [/edit]

Compworld




msg:688592
 8:09 pm on Dec 11, 2003 (gmt 0)

How can they steel money for your account with a link?

CompWorld

vytal solutions




msg:688593
 3:40 am on Dec 12, 2003 (gmt 0)

Not steal money, they can steal the product being offered. At least I'm not aware of any way to steal money. I switched to clickbank instead. Fees are higher though.

amznVibe




msg:688594
 4:07 am on Dec 12, 2003 (gmt 0)

It's called "digital shoplifting" cause people can make up their own prices, etc on checkout by editing your links. It's like slapping on a different barcode on an item at the store to get a lower price.

The proper way to handle this is to use the reverse notification that PayPal gives you to check the sale and pricing before you even print or ship the item (or allow access for digital goods). There are also several easy ways to hide the code on your server using php, etc. to pass the data to PayPal from there instead of the shopper's browser.

panic




msg:688595
 6:42 am on Dec 12, 2003 (gmt 0)

All you have to do is not pass the item price in the form.

Just have the form pass back the SKU or item number, and have it pull the price from a database.

Simple as that.

-p

pbreit




msg:688596
 4:52 pm on Dec 12, 2003 (gmt 0)

Panic, that sort of addresses the situation but there's still the possibility of tampering which is why it's important to review all orders received.

panic




msg:688597
 6:50 pm on Dec 12, 2003 (gmt 0)

If there's room for tampering with my solution, I'd love to hear it.

yintercept




msg:688598
 6:25 pm on Dec 14, 2003 (gmt 0)

If you are using the information from paypal for orders, everything works well. If you are selling an ebook or music, paypal has the flaw that you have to include the return URL in the calling code. Anyone who knows HTML can figure out your return URL...load that in their browser and get the book for free. You could simply check the HTTP referrer of on the final check out page. However, people often dink with the referrer. There really needs to be a server to server call to make the process secure.

mack




msg:688599
 7:09 pm on Dec 14, 2003 (gmt 0)

You can use htaccess to prevent access to the return page unless the referal is from paypal.

I remember setting up this for a client before but honestly cant remember the htaccess syntax I used, I found it online. Perhaps someone here will have a beter idea.

Mack.

Jeff_H




msg:688600
 1:47 am on Dec 15, 2003 (gmt 0)

Yeah, that return page is not meant to give access to a product or service. It's meant to be a "thank you" page or "post-sales instructions".

To have your service instantly delivered, you should use PayPal IPN (instant payment notification). As far as I know, there is no way to trick this, since you verify the transaction directly via the PayPal server, meaning you can make sure the product and price match up. I don't think it's too awfully hard to work with.

Kea777




msg:688601
 7:55 am on Dec 15, 2003 (gmt 0)

What I am understanding is that there are two ways to get ripped off.

1. One is to have someone change the price of your product in the HTML from something like $10.00 to $0.00.

2. The other way is for them to simply bypass the paypal ordering system, copy the link and just go directly to the page where they can download my product.

I am wondering how effective encryption is.
Thanks for the advice everyone! I appreciate the input.
I did check out paypal IPN but I am hoping to find a solution a little easier to use.

How effective is encryption of the codes? Does anyone know anything about this? If I just take the paypal button code and encrypt it on my page...will that solve the problem?

Do I have to encrypt the entire page or can I just do a paragraph or two?

There is a site I just found called www.instantsiteprotection.com and he is supposedly offering free incryption protection. I don't know yet if it works or what is up with it...guess I will try it out.

WibbleWobble




msg:688602
 3:09 pm on Dec 15, 2003 (gmt 0)

I'm not entirely sure what you're after, but in terms of links, couldn't you just use a crypt and/or md5 function on links containing sensitive data to pass to PayPal?
This seems to be what most shopping cart systems do, when integrating with PSPs.

panic




msg:688603
 5:35 pm on Dec 15, 2003 (gmt 0)

If you are using the information from paypal for orders, everything works well. If you are selling an ebook or music, paypal has the flaw that you have to include the return URL in the calling code. Anyone who knows HTML can figure out your return URL...load that in their browser and get the book for free. You could simply check the HTTP referrer of on the final check out page. However, people often dink with the referrer. There really needs to be a server to server call to make the process secure.

That's why they have authentication, to see if it was a legit transaction. You might want to read up on the PayPal API.

To have your service instantly delivered, you should use PayPal IPN (instant payment notification). As far as I know, there is no way to trick this, since you verify the transaction directly via the PayPal server, meaning you can make sure the product and price match up. I don't think it's too awfully hard to work with.

You don't set anything up on the PayPal side. You don't set any prices or anything like that... you do that using the method that I suggested earlier in this thread.

1. One is to have someone change the price of your product in the HTML from something like $10.00 to $0.00.

Again, they can't tamper with anything if you use a database as suggested earlier.

2. The other way is for them to simply bypass the paypal ordering system, copy the link and just go directly to the page where they can download my product.

If you use PayPal authentication, this shouldn't be a problem.

I am wondering how effective encryption is.

Encryption is always good, but it does nothing for you in this situation.

couldn't you just use a crypt and/or md5 function on links containing sensitive data to pass to PayPal?

What would he be decrypting?

This seems to be what most shopping cart systems do, when integrating with PSPs.

Only the shopping carts not run off of a database of some sort.

WibbleWobble




msg:688604
 3:18 pm on Dec 16, 2003 (gmt 0)

What would he be decrypting?

Well, nothing, I guess, but he seemed concerned that passing a price in a query string was occuring and that it would be easy to spoof any price. Using somesort of scramble code on the outgoing link would negate this possible effect. I'm not aware of any system that fails to do this though - the only prices I've seen in query strings are in ridiculous bespoke systems.

Only the shopping carts not run off of a database of some sort.
When passing the data to a PSP (for example, worldpay, or paypal) the querystring is always a jumbled mess, in every system I've used (x-cart, osCommerce, Actinic), and all of these use a DB of somesort. I've not bothered looking at the code lying behind these, but it would be logical to presume that they use a crypt() function or similar. Perhaps I'm not understanding the original problem clearly and I'm just talking about completely irrelevent things though.

panic




msg:688605
 6:06 pm on Dec 16, 2003 (gmt 0)

Using somesort of scramble code on the outgoing link would negate this possible effect.

I'm sure if he MD5'ed or encrypted it somehow, someone would still find out how to decrypt it. It's still insecure.

the only prices I've seen in query strings are in ridiculous bespoke systems.

You'll never see a price in any of my querystrings, bud :)

When passing the data to a PSP (for example, worldpay, or paypal) the querystring is always a jumbled mess, in every system I've used (x-cart, osCommerce, Actinic), and all of these use a DB of somesort.

I'm talking about an INTERNAL database, not the PSP's database.

I've not bothered looking at the code lying behind these, but it would be logical to presume that they use a crypt() function or similar.

How can you determine what's logical and what's not if you've never looked at the code, nor know how the programs work?

I'm just talking about completely irrelevent things though.

Believe me... you are.

sun818




msg:688606
 9:32 am on Dec 17, 2003 (gmt 0)

Validate that all variable values are what you originally assigned them to be:
[mals-e.com...]

I don't Paypal was designed with "digital" products in mind.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Ecommerce
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved